medium
6.1
CWE
79
Advisory Published
CVE Published
Updated

CVE-2019-10010: XSS

First published: Thu Mar 21 2019(Updated: )

## CVE-2019-10010 ### Impact In `league/commonmark` 0.18.2 and below, malicious users can insert double-encoded HTML entities into their Markdown like this: ```md [XSS](javascript&amp;colon;alert%28&#039;XSS&#039;%29) ``` This library would (correctly) unescape the `&amp;` entity to `&` during the parsing step. However, **the renderer step would fail to properly re-escape the resulting `&colon;` string**, thus producing the following malicious HTML output: ```html <p><a href="javascript&colon;alert('XSS')">XSS</a></p> ``` Browsers would interpret `&colon;` as a `:` character and allow the JS to be executed when the link is clicked. This vulnerability was present in the upstream library this project was forked from and therefore exists in all prior versions of `league/commonmark`. ### Solution The new [0.18.3](https://github.com/thephpleague/commonmark/releases/tag/0.18.3) release mirrors [the fix made upstream](https://github.com/commonmark/commonmark.js/commit/c89b35c5fc99bdf1d2181f7f0c9fcb8a1abc27c8) - we no longer attempt to preserve entities when rendering HTML attributes like `href`, `src`, `title`, etc. The `$preserveEntities` parameter of `Xml::escape()` is therefore no longer used internally, so it has been deprecated and marked for removal in the next major release (0.19.0). ### Credits - Mohit Fawaz for identifying the issue - Sebastiaan Knijnenburg and Ross Tuck for responsibly disclosing/relaying the issue - John MacFarlane for investigating it and implementing the upstream fix we mirrored here ### References - https://nvd.nist.gov/vuln/detail/CVE-2019-10010 - https://github.com/thephpleague/commonmark/releases/tag/0.18.3 - https://github.com/thephpleague/commonmark/issues/353 - https://github.com/FriendsOfPHP/security-advisories/blob/master/league/commonmark/CVE-2019-10010.yaml

Credit: cve@mitre.org cve@mitre.org

Affected SoftwareAffected VersionHow to fix
composer/league/commonmark<0.18.3
Thephpleague Commonmark<0.18.3
composer/league/commonmark<0.18.3
0.18.3

Remedy

https://github.com/thephpleague/commonmark/issues/353

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2019-10010?

    CVE-2019-10010 is a cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3.

  • How does CVE-2019-10010 work?

    CVE-2019-10010 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering.

  • What is the severity of CVE-2019-10010?

    The severity of CVE-2019-10010 is medium with a severity value of 6.1.

  • Which software versions are affected by CVE-2019-10010?

    The PHP League CommonMark library versions up to but excluding 0.18.3 are affected by CVE-2019-10010.

  • How can I fix CVE-2019-10010?

    To fix CVE-2019-10010, you should update to version 0.18.3 of the PHP League CommonMark library.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203